Home Explore Help
Sign In
dfanfdsanfdsa
/
ood-ports-lbsd-fork1
forked from jimmy/ood-ports-lbsd
Watch 1
Star 0
Fork 0
Files
Tree: f08698bfd3
Branches Tags
ood-ports-lb...
/
mail
/
dovecot
/
patches
/
patch-src_auth_password-scheme-crypt_c

patch-src_auth_password-scheme-crypt_c 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 
  1. $OpenBSD: patch-src_auth_password-scheme-crypt_c,v 1.4 2016/11/01 14:12:04 sthen Exp $
    2. 

  2. 

  3. Dovecot supports various password schemes, e.g. {MD5}, {SHA1},
    4. 

  4. {SSHA512}, {CRYPT}, etc.  This is used in two cases:
    5. 

  5. 

  6. 1. Identifying schemes available for 'doveadm pw -s <scheme>' to
    7. 

  7. generate a hashed password from user input.
    8. 

  8. 

  9. 2. Deciding which schemes to allow in a password database.
    10. 

  10. Entries are stored as {SCHEME}passwordhash; the string from within
    11. 

  11. brackets is checked against the list of supported schemes.
    12. 

  12. 

  13. One common scheme is {CRYPT} which passes to the OS crypt() function and
    14. 

  14. is often used with LDAP password databases as it's also supported by
    15. 

  15. OpenLDAP for its own authentication.
    16. 

  16. 

  17. After DES was removed from crypt(), 'doveadm pw -s CRYPT' started
    18. 

  18. segfaulting on OpenBSD. To avoid this Dovecot was changed to
    19. 

  19. test-encrypt a password and check that it can be verified,
    20. 

  20. if not then that scheme is knocked out. But as well as stopping
    21. 

  21. the segfault in case 1, it also prevents it from being used for
    22. 

  22. case 2 i.e. verifying passwords.
    23. 

  23. 

  24. Result:
    25. 

  25. 

  26. dovecot: auth: Error: ldap(xyz,11.22.33.44,<asdafasfasdasfsa>): Unknown scheme CRYPT
    27. 

  27. 

  28. This patch re-allows CRYPT as a supported scheme. On OpenBSD it will
    29. 

  29. encrypt as blowfish, on other OS it will encrypt as DES. Verification
    30. 

  30. will work with whichever password formats are supported by the OS.
    31. 

  31. 

  32. --- src/auth/password-scheme-crypt.c.orig	Fri Jan  8 01:04:13 2016
    33. 

  33. +++ src/auth/password-scheme-crypt.c	Fri Jan  8 01:23:35 2016
    34. 

  34. @@ -111,7 +111,12 @@ static const struct {
    35. 

  35.  	const char *salt;
    36. 

  36.  	const char *expected;
    37. 

  37.  } sample[] = {
    38. 

  38. +#ifdef __OpenBSD__
    39. 

  39. +	{ "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF",
    40. 

  40. +	  "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" },
    41. 

  41. +#else
    42. 

  42.  	{ "08/15!test~4711", "JB", "JBOZ0DgmtucwE" },
    43. 

  43. +#endif
    44. 

  44.  	{ "08/15!test~4711", "$2a$04$0123456789abcdefABCDEF",
    45. 

  45.  	  "$2a$04$0123456789abcdefABCDE.N.drYX5yIAL1LkTaaZotW3yI0hQhZru" },
    46. 

  46.  	{ "08/15!test~4711", "$5$rounds=1000$0123456789abcdef",
    47. 

  47. @@ -124,8 +129,13 @@ static const struct {
    48. 

  48.  
    49. 

  49.  /* keep in sync with the sample struct above */
    50. 

  50.  static const struct password_scheme crypt_schemes[] = {
    51. 

  51. +#ifdef __OpenBSD__
    52. 

  52.  	{ "CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
    53. 

  53. +	  crypt_generate_blowfisch },
    54. 

  54. +#else
    55. 

  55. +	{ "CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
    56. 

  56.  	  crypt_generate_des },
    57. 

  57. +#endif
    58. 

  58.  	{ "BLF-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
    59. 

  59.  	  crypt_generate_blowfisch },
    60. 

  60.  	{ "SHA256-CRYPT", PW_ENCODING_NONE, 0, crypt_verify,
    61. 

  61.